Actions

The event corresponding to a process destruction in Windows. In the kernel, these are also captured with the callback PsSetCreateProcessNotifyRoutine, but with point to a NULL structure.

Fields

Field

Description

Example

command_line

The command line string contains all arguments passed to the process upon execution.

example arg1 arg2, example.exe, C:\path\example.exe /flag1

exe

The basename of the image_path.

example.exe

fqdn

The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.

HOST1.EXAMPLE_DOMAIN.COM

hostname

The hostname of the host, without the domain.

HOST1

image_path

The file path of the executable associated with this process. This may act as a pivot to file:file_path.

C:\path\to\example.exe

md5_hash

The MD5 hash of the contents of the file located at image_path. The field is in hex notation, without the 0x prefix.

5eb63bbbe01eeed093cb22bb8f5acdc3

parent_exe

The exe field of the parent process. This is a substring of parent_image_path

example_parent.exe

parent_image_path

The image_path field of the parent process.

C:\path\to\example_parent.exe

pid

The process ID for the process, represented in decimal notation.

738

ppid

The process ID for the process’s parent, represented in decimal notation. In the parent process, this will be the pid field.

1860

sha1_hash

The SHA1 hash of the contents of the file located at image_path.

2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

sha256_hash

The SHA256 hash of the contents of the file located at image_path.

68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728

sid

The security identifier of the user token that the process is running under.

S-1-5-18

signer

The company that signed the file.

FooCorp

user

The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with “<DOMAIN>\<USER>”. Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.

HOST1\LOCALUSER

integrity_level

The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system.